Skip to content

Commit

Permalink
Add session_store setting
Browse files Browse the repository at this point in the history
  • Loading branch information
@jkowens
jkowens committed Aug 4, 2016
1 parent 1340606 commit 4ee4b81
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 22 deletions.
59 changes: 39 additions & 20 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ pick up if available.
* [Filters](#filters)
* [Helpers](#helpers)
* [Using Sessions](#using-sessions)
* [Choosing Your Own Session Middleware](#choosing-your-own-session-middleware)
* [Halting](#halting)
* [Passing](#passing)
* [Triggering Another Route](#triggering-another-route)
Expand Down Expand Up @@ -1377,25 +1378,6 @@ get '/:value' do
end
```

Note that `enable :sessions` actually stores all data in a cookie. This
might not always be what you want (storing lots of data will increase your
traffic, for instance). You can use any Rack session middleware: in order to
do so, do **not** call `enable :sessions`, but instead call `set
:sessions` with your middleware of choice passed in as the value for
`:session_store` along with any other options:

```ruby
set :sessions, :session_store => Rack::Session::Pool, :expire_after => 2592000
get '/' do
"value = " << session[:value].inspect
end
get '/:value' do
session['value'] = params['value']
end
```

To improve security, the session data in the cookie is signed with a session
secret. A random secret is generated for you by Sinatra. However, since this
secret will change with every start of your application, you might want to
Expand All @@ -1419,6 +1401,40 @@ domain with a *.* like this instead:
set :sessions, :domain => '.foo.com'
```

#### Choosing Your Own Session Middleware

Note that `enable :sessions` actually stores all data in a cookie. This
might not always be what you want (storing lots of data will increase your
traffic, for instance). You can use any Rack session middleware: in order to
do so, one of the following methods can be used:

```ruby
enable :sessions
set :session_store, Rack::Session::Pool
```

Or to enable sessions with a hash of options:

```ruby
set :sessions, :expire_after => 2592000
set :session_store, Rack::Session::Pool
```

Another option is to **not** call `enable :sessions`, but instead pull in your
middleware of choice as you would any other middleware:

```ruby
use Rack::Session::Pool, :expire_after => 2592000
```

It is important to note that when using this method, session based protection (see 'Configuring attack protection') will not be enabled by default. The Rack middleware to do that will also need to be added:

```ruby
use Rack::Session::Pool, :expire_after => 2592000
use ::Rack::Protection::RemoteToken
use ::Rack::Protection::SessionHijacking
```

### Halting

To immediately stop a request within a filter or route use:
Expand Down Expand Up @@ -2099,7 +2115,7 @@ set :protection, :except => [:path_traversal, :session_hijacking]
```
By default, Sinatra will only set up session based protection if `:sessions`
has been enabled.
have been enabled. See 'Using Sessions'.
### Available Settings
Expand Down Expand Up @@ -2230,6 +2246,9 @@ has been enabled.
See 'Using Sessions' section for more information.
</dd>
<dt>session_store</dt>
<dd>The Rack session middleware used. Defaults to <tt>Rack::Session::Cookie</tt>. See 'Using Sessions' section for more information.</dd>
<dt>show_exceptions</dt>
<dd>
Show a stack trace in the browser when an exception happens. Enabled by
Expand Down
2 changes: 1 addition & 1 deletion lib/sinatra/base.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1709,7 +1709,6 @@ def setup_sessions(builder)
options = {}
options[:secret] = session_secret if session_secret?
options.merge! sessions.to_hash if sessions.respond_to? :to_hash
session_store = options.delete(:session_store) { Rack::Session::Cookie }
builder.use session_store, options
end

Expand Down Expand Up @@ -1782,6 +1781,7 @@ def self.force_encoding(data, *) data end
set :dump_errors, Proc.new { !test? }
set :show_exceptions, Proc.new { development? }
set :sessions, false
set :session_store, Rack::Session::Cookie
set :logging, false
set :protection, true
set :method_override, false
Expand Down
5 changes: 4 additions & 1 deletion test/settings_test.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -567,7 +567,10 @@ def use(middleware, *)

it 'sets up RemoteToken if sessions are enabled with a custom session store' do
MiddlewareTracker.track do
Sinatra.new { set :sessions, :session_store => Rack::Session::Pool }.new
Sinatra.new {
enable :sessions
set :session_store, Rack::Session::Pool
}.new
assert_include MiddlewareTracker.used, Rack::Session::Pool
assert_include MiddlewareTracker.used, Rack::Protection::RemoteToken
end
Expand Down

0 comments on commit 4ee4b81

Please sign in to comment.